Internet Explorer Faces CERTAIN Extinction

Hi Spanner:

I'm curious. You have expressed a view that I rarely hear. You prefer IE to Firefox with all of its cool extensions, tabbed browsing, etc? Like I said in an earlier post, I agree that it doesn't really matter and I'm no evangelist. But I am curious, could you list 1., 2., 3., etc, what you like about IE over Firefox? I just find it fascinating that someone could try them side by side and still like IE better. Just really curious, could you list in 1,2,3 fashion why you are liking IE over Firefox? I'm sure I'm not the only one that would be interested in knowing. maybe I'm missing something? Have a good week.

Gerard Morentzy

 

If you're that familiar with the Secunia list then you will also be familiar with the HTML Elements Buffer Overflow Vulnerability - this allowed remote access, was being used by malware (MyDoom) and could not be worked around by configuring IE prior to the patch, the only fix being to switch browsers. Now this has been patched - but you can be sure that there will be further similar issues with IE, and it is the unpatched (and undisclosed) vulnerabilities that are the biggest problem. Opera and Firefox have a smaller codebase (meaning less bugs assuming a similar level of coding quality) and are not integrated into Windows like IE is (hence the vulnerabilities that do occur are less likely to affect Windows itself and therefore have less effect).

A mild inconvenience? Having to answer a prompt for a cookie whenever you load a webpage here? Having to answer multiple prompts for ActiveX, Java and Javascript applets with many other webpages? If you go through all that then you must have the patience of a saint - but really wouldn't it make more sense to use an application where you don't have all that hassle?

Well, given the previous track records (at Secunia and elsewhere) I can pretty confidently predict that Firefox and Opera will continue to have fewer flaws and less severe ones - due to the smaller codebase and lack of integration with Windows mentioned above.

While this can certainly strip away a lot of unnecessary stuff from Windows and offers options that Microsoft should have made available in the first place, it can't do much about simplifying Windows' design or user interface.

No, but Microsoft sure moves heaven and earth to stop you from removing Internet Explorer! No option in Add/Remove Programs, IE and OE made default choices in "Set Program Access and Defaults", the Internet Explorer folder protected by Windows File Protection (if you relocate your program files folder to another drive, WFP will even create an empty Internet Explorer folder for you - and refuse to let you delete it!), extra functions like Help Centre and NetMeeting require IE, Windows Update cannot be accessed without IE with ActiveX enabled ("now just loosen your security belt and drop those trousers to let us check your internals - don't worry, Doctor Bill's done this millions of times and not accidently castrated a single user..."), the list goes on. Even if you do manage to remove IE (the only realistic option seems to be using XPLite which Spanner mentioned above - IERadicator is another possibility but Windows File Protection has to be disabled first on Win2K SP2+/WinXP systems), the next Service Pack will just reinstall it.

Sounds like someone missed out on the "browser wars" a few years ago (when Microsoft was doing everything it could to put Netscape out of business, including preventing copies of Netscape from being included on new PCs). There was (and still is) a war going on with Microsoft trying to use IE's market share to drive sales of Internet Information Server (IIS) - and adding proprietary features to IIS that only work with IE. This even extended to blocking other browsers by default previously. So the issue is not solely about IE's merits (or lack of them), but Microsoft's persistent attempts to prevent users from turning to alternatives.

 

Err hows that ? I have Never indulged in ANY talk of Browser Wars at All, and you will NOT find Even 1 word to that effect Anywhere from me. All i have done and do is point out and show the fact that IE can be MADE Safe and Secure !

[/Quote]

Hey Hey calm down. No need to shout. See that smiley at the end? I was teasing. In any case, you think IE can be made safe and secure, but it's hard for you to see why we think firefox is just the easier and safer option if you havent tried it. That was all I was saying

Here's a question, how many security software do you run that is solely if not primaily used to protect IE? Add other software that have a IE only component.

Sure, but I'm paranoid. Most of us here are. I could probably get away with just firefox, router and a personal firewall + some on demand scanners. In fact, I have done so for months at a time. That wouldn't be possible if IE was my primary browser. I would need at least proxomitron or something similar and extremely tight settings.

To secure IE for a typical user, I would need at least spywareblaster, IE spyad, and maybe spywareguard + teatimer. Add a excellent Hosts files.

All of these (except maybe Hosts) won't be necessarily without IE. And that only protects them , if the site they're visiting happens to be blacklisted or the CSLID for activex control is listed.

It wont give me any protection at all from IE exploits, which would involve stuff like hardening your local machine zone and other even more obscure tweaks, which is face it , an arcane art to most people.

Okay then, Be honest, how long did you figure out how to make your local zone visual? How about the other tweaks you made? I see in your response to Paranoid, you boast that your setup is immune to all kinds of exploits that normally work on ordinary systems.

I believe many of them don't work on non-NT systems, but even then, I'm certain you are runnign with all sorts of tweaks, that have side effects that you 're arent aware of . I have experimented with Qwi-fix , secureit and whatnot, and both seemed to work fine but eventually i noticed some weird effects. All this takes time to figure out, so you must understand why I think the time and effort to really secure IE is very very high.

In fact, for most systems I help configure I dont borther with this at all, I just setup IEspayd, Spywareblaster, Hosts file, and then pray the user knows how to update them. It works most of the time, but not even close to 100% when the user switches to firefox.

 

Heh, so does IE, unless you are using a external utility to clean it up (Some exist for Firefox too). In fact, on top of this, IE has the imfamous super-hidden, hard to remove index.dat that you can remove using options within the browser.

Of course the super-geeks really know a dozen ways to remove it, but seriously, why should you go to such lengths? In firefox, clear all, just clears all. In IE , it doesn't.

 

After having carefully read this thread I have to say that the only people giving clear, cogent arguments are the ones who come down on the side of Firefox. It seems to me that the IE buffs are just whistling in the wind!!! (Biased? Biased? Me, Biased?? you're damned right I am.)
Sorry spanner, you're a trier ~snip~ refrain from name calling please - snap

 

At least Spanner signs in and posts, he doesn't hide as a guest!

 

Yes got that one! And cheers Spanner.....Even an FF convert like me can appreciate your honest and informative posts. I'd even have a go at securing IE if I weren't so dopey (Oztralian!) and lazy! Keep up the good work Spanner and don't be perturbed by someone lacking the 'intestinal fortitude' to actually register and contribute.
Brad.

 

Good to see someone checking the vulnerability details, but I would point out a few issues with your analysis.

Quoting further from the US-CERT link you provided:

"The vulnerability is caused due to a boundary error within the handling of certain attributes in the <IFRAME> and <FRAME> HTML tags. This can be exploited to cause a buffer overflow via a malicious HTML document containing overly long strings in e.g. the "SRC" and "NAME" attributes of the <IFRAME> tag."

Frames do not contain code but simply offer a way of splitting up a webpage. Therefore Active Content or Security Zone settings should not affect their usage - or protect from this vulnerability.

From CERT: "Disabling Active scripting makes it somwehat more difficult for an attacker to prepare the heap to easily execute arbitrary code." Please note, more difficult rather than not possible.

If you ever clicked on a link, then you have followed an unsolicited link. While links sent in spam emails are certainly more risky, an open forum like this where guests can post and include their own links can also provide an infection route. Even a trusted website could be altered by an attacker to include this exploit so not following links is no guarantee of safety.

Older versions of OE would certainly increase the risk factor - but the problem is with IE itself, so while email (especially spam) is a possible method for using this vulnerability, it is by no means the only one.

Sorry, but again this is no guarantee of safety. Most email-borne worms spoof the sender address, in some cases using the infected system's address book. So if someone you know (i.e. someone with your email in their address book) got infected, you could receive an infected email from a seemingly trusted source.

While good general advice, antivirus software cannot protect against buffer overflows. However if an attacker uses a buffer overflow to install known (as opposed to customised) malware, then the antivirus scanner is likely to pick this up. So again, not a complete defence. As CERT state: "Do not rely on antivirus software to defend against this vulnerability."

Um, are you sure you are talking about Frames and not Javascript, Java, ActiveX, etc? I see no option for Frames in Internet Options on my system (though I run Win2K with IE 5.0 - I never use it and have blocked network access for it with my firewall so see little point in updating it). The only method for blocking frames that I know of would be to use a webfilter like Proxomitron to remove them. Even if the option was available, since frames are quite often used in webpages, prompting for each one would seem a sure way to "point and click insanity" and blocking them would mess up a website's appearance.

Or hijack and alter an existing site.

As mentioned above, any link could lead to a compromised webpage.

In this is case, it is guaranteed that Netscape/Opera compromises will have less effect because they are applications separate from Windows itself, while IE is so heavily integrated that it effectively is part of Windows. This means that IE has extra functions that are of no use on normal websites (like the ms-its: protocol) but which can contain bugs or vulnerabilities, and that it is far harder to "isolate" IE's activities from Windows system activities.

Secure software has to be simple and minimalist - this reduces the number of bugs, design flaws and the consequent vulnerabilities. And if IE's track record of 70 vulnerabilities to Opera's 34 (Opera includes an email, newsreader and chat client as well so comparing it to IE+OE+MSN = 70+18+3 = 91 would be a fairer comparison) or Firefox's 19 (looking at Firefox 0.x since this has a longer track record) doesn't provide convincing evidence, then heaven knows what does.

You did state that you had all options disabled - allowing cookies is usually not a security risk but can be a privacy issue.

This is going OT from the above vulnerability issue, but sensitive information can be sent to other websites using HTTPS without your consent as discussed elsewhere.

Yes, being prompted is far safer - but considering that IE will keep nagging you about ActiveX and considering that very few sites actually make good use of it, wouldn't it make more sense to cut this out completely and use another browser which removes this insecure option?

I don't think anyone is dismissing your setup - it will remove some of the most popular exploits. However no-one can be "completely" secure while using a fundamentally unsafe product like IE so anyone appearing to express this view will (and rightly so) trigger some debate.

I did evaluate Firefox back in its 0.6 incarnation and I would strongly suggest you check out the extensions also. Firefox on its own is a fairly simple product, but extensions can add extra features like mousewheel support, mouse gestures, further configuration options and plenty of other useful features. I would also suggest checking the 30 Days to Becoming an Opera 7 Lover page - while it pushes Opera rather than Firefox, it does highlight the many usability enhancements both offer over IE (tabbed browsing, single letter search-engine access, customisable toolbars - so you can maximise webpage visibility, mouse gestures, etc).

 

Let me first address the screenshot you attached, I have had such an experience., Actually those files attached are blank files. Don't believe me? Use a text viewer to read the files. Compare that to the real cache files left behind.

Second, how long did you take to long about index.dat and how long did you take to research and settle on a specialised PAYWARE product to handle a IE problem? Call me old fashioned, but I don't really think you should *need* any external product to clean something that is left behind by your browser, payware or not.

As for "Gutman" (sic) mode, I can just simply use Eraser or any free secure deletion product on firefox's cache and history.dat, without resorting to yet another additional specialised tool.

 

TRUE. But on the other HAND , the way SPANNER POSTS , you MIGHT be hard pressed to tell the DIFFERENCE !

 

Hmm, are you a native english language speaker? Yes you are supposed to call me old fashioned. Well not literally anyway, it was a figure of speech.

I think it's my turn to tell you to learn how to read and to quote properly. I'm not talking about secure deletion.

My point is the index.dat cannot be easily removed, you need to use either external software or use some other alternative method that cannot be done within the browser to clear them. With firefox you don't have such a problem.


Quote ronin - ( Originally Posted by bigbuck At least Spanner signs in and posts, he doesn't hide as a guest!
TRUE. But on the other HAND , the way SPANNER POSTS , you MIGHT be hard pressed to tell the DIFFERENCE !

What so now your predjudiced against someone who uses colour ?

[/Quote]

Not just color, but also overuse of Caps.

No law against it. Though it does make you look like a noobie. After all, there's a very good reason why nobody else is doing it.

 

Gentlemen, let's be sure to keep on track and leave any personal comments out of the deabte/discussion.

 

Sorry, but those options only cover programs within frames and frames from third party sites. They do not cover frames generally so would not provide protection from this exploit.

ActiveX, Javascript and Java are not used for the buffer overflow itself but make it easier for an attacker to set up the heap contents first to ensure that their code was run. See the Tao of Windows Buffer Overflows for more details of how this sort of exploit works.

Setting these to Prompt would not prevent a buffer overflow - this comes down to a program's internal coding (i.e. what sort of boundary checks it applies to incoming data). While Firefox and Opera could also be vulnerable to buffer overflows (e.g. Mozilla Multiple Vulnerabilities, Opera Long Filename Extension Buffer Overflows) - to date these have been fewer in number and less critical.

The point I wanted to make was it is not possible to tell beforehand if a link is "safe" or not. Saying that you never click on a dubious link is like saying you never run a dubious program - the most dangerous malware is that which seems like a useful program so assuming foreknowledge of what is good and what is bad is not a reliable security measure.

The presence of attachments and message size can certainly indicate something suspicios but malicious HTML has neither of these attributes. Using text-only display should avoid HTML provided the email client doesn't try to be "helpful" and switch back on receipt of HTML.

A sensible step - but programs like BugOff do depend on the author's knowledge of IE, and the information that Microsoft choose to disclose.

Opera have been around since 1995 so you can be fairly sure their browser has been thoroughly tested. Firefox is a more recent product with the project starting in 2002 I believe. However it is open source so anyone can view its internals and audit it for security unlike closed-source products like Opera or IE.

Simply having avoided problems in the past is no guarantee of avoiding them in the future - especially given the increasing sophistication of malware and the (greatly!) increased emphasis on compromising end users (previously it was mainly servers that were targets). While constantly patching IE will deal with the most common threats, these updates can also add their own problems. Using software that has been better designed, better implemented and more thoroughly tested should be an obvious choice - and it should be equally obvious that IE has been a failure and will continue to be until (or unless) Microsoft do a complete rewrite of it with the emphasis on security.

Yes I did note your posts - which is why I mentioned it only in passing...

...assuming that IE's checks for ActiveX cannot be bypassed by obfuscated HTML or other techniques for hiding content (I have not tested this, but am putting it forward as a possibility).

You're welcome. Firefox came close, with the appropriate extensions - but was missing a few small but (for me) significant features so I have continued with Opera.

I only allow cookies on Wilders - no Javascript, Java or ActiveX. It is most likely that ActiveX is used for extra features but it should not be necessary to allow it.

Opera has had this since version 5...there's the cue for an Opera v Firefox thread! Other features to check out:

• Single letter search engine access: type g <text> in the address bar and Opera/Firefox will do a Google search on the text supplied (I think Firefox automatically takes you to the first result). Other letters can access other search engines, e.g. e for an eBay search.
• Mouse gestures - you can reload a page in Opera by holding down the right mouse button and moving your mouse up then down. Move the mouse left to go back a page and right to go forward. There is an extension for Firefox to do the same thing.
• Full screen display - pressing F11 in Opera toggles a full screen display, removing all toolbars, titlebars and other window paraphernalia to just show the web page itself. You can then navigate using keyboard shortcuts, mouse gestures or press F11 again to revert to a normal display.

 

That is the really nice thing about open source software is that it is always being improved ( firefox/mozilla1.7.5

bigc

 

Good thread. Spanner, bottom line on the index.dat is that with IE you have it and it needs to be cleaned. IE writes every URL visited into that index.dat file (thanks to integration with Windows). Firefox does not write to any such file. Score one for Firefox in the privacy category.

 

The same goes for every piece of software you use - however shouldn't it make sense to pick those programs with a better track record of fewer security holes and faster fixes?

Because I consider certain features of Opera more important - that's a value judgement for me personally and others are free to draw other conclusions. Open source in my view is critical for hard-to-implement and hard-to-verify tasks like encryption (i.e. where seeing how the program works is critical to determining how secure it is) but browsers overall do not fall into that category. So open source is a plus (faster development and faster fixes) but not an overwhelming one for Firefox in my opinion. Yet.

What happens when you try posting with ActiveX disabled?

ActiveX does nothing in the background for non-IE users. They don't see some of the IE-specific features (like the "glow stuff") but for me, that's a benefit.

We're just trying to keep you online until the forum admins track down your real-world address - then we're all going to turn up on your doorstep with baseball bats.

 

After many attempts at trying to fix ie6 i finally found the secret patch.
May as well tell you the big secret--the name of the final fix is FIREFOX.

 

This is such a poor argument. This shows that while you are intelligent, your thinking is what intellectuals (not that I claim to be one) call undisciplined thinking.

Your logic seems to be that if it hasn't happened before then it isn't going to happen. If the status quo has brought no consequences, then it must be okay.

Consider that someone can be a horrible driver but never experienced a car accident. Does that, by virtue of their record, a "good" driver? I think now.

Consider America on September 10th, 2001. No planes had ever been flown into skyscrapers and killed thousands. Never! Not once! America must be safe from such things happening. After all, it had never happened before. A day later, on September 11th, 2001, the fact that it had never happened until that morning meant absolutely nothing.

My neighbor said his exercise regimen of walking around the block once a month was sound and would keep him healthy because, alas, he had never had health problems. In your words, it had "never let him down once." Until, of course, the day he had a heart attack.

Your argument means nothing. It is not fit to use in any kind of discussion about, literally, anything!

 

These threads on IE vs FF et al are by now a running joke, entertaining (up to a point).

There isn't anything stopping users from having 10 Browsers on their system and alternating them every five minutes if they so wish.

Now lets get to the real world. While FF and Opera are out of the box more secure, the average user, which certainly does not describe members of this site, still cannot surf the Net with alternative browswers w/o running into problems because a great many sites demand IE, that's just a fact of life for now. Hopefully that will change and I see signs that is happenning.

Regards - Charles

 

Lynchknots post removed as off topic
bigc

 

spanner - The paragraph was meant to read:

"Consider that someone can be a horrible driver but has never experienced a car accident. Does that, by virtue of their record, make them a "good" driver? I think not."

The difference is that the "bad driver" CANNOT say, simply because he hasn't had any accidents, that he is a "good driver." Bad is bad is bad. The fact he has not had any accidents only means he has been accident-free in SPITE of his driving.

How does that relate here? You have, on several occasions, said that you must be doing something right with your computer security because you haven't ever had any troubles. I (securityuser, "seccy", me), I have not said that you WILL have troubles. You are the one that has used the poor logic in choosing to define your current level of security based on your history of having used IE and having never had any problems. There lies the difference. I am merely saying "Don't speaketh too soon" and trying to get you to understand that just because you have NOT had troubles does NOT, inherently, mean you've been doing everything right! I don't predict trouble in the future, yet, you claim success based on the past. Yes, you can try to turn it around on me, except that I have not advanced the argument of future projection: you have.

Exactly. Thank you. This is what I am trying to say! You have said it here now yourself! Your experiences on your PC and your saying that you "must be doing something right" because you haven't had troubles is silly. In fact, you could be doing things horribly wrong and just be, well, lucky. Can I say your fate will change? Of course not! Again, I have not advanced that argument. YOU are the one who believes that because of past experience you "must be doing something right." Like you said above, those experiences of "success" don't mean squat in, as you put it, "actuality" or with other users experiences.

Bottom line: what you have been doing does not equate to doing anything right or wrong. But to say that it does, as YOU have done, is wrong. But then, you finally said as much in the paragraph above.

This is getting silly though, so I guess we move on? I simply wanted to warn against your odd belief that you "must be doing something right," when in fact, in many opinions here, DESPITE YOUR RECORD, you are courting trouble by your use of Internet Explorer as your primary browser.

 

[edited] - here,i 'll do it myself. I dont belong to the rehash club - beam me (and my post) up scotty.......

http://img127.exs.cx/img127/152/veryfirstsmiley8kd.gif